Dumping 93LC66B (3wire mode)

SPI> [ 0x3 0 0 0
CS Enabled
TX: 0x03
TX: 0 0 0

I’m using an SPI flash chip, but the principals are the same. First I setup the chip read with command 0x03 and at address 0x00 0x00 0x00.

SPI> dump 256 test.bin

Use the dump command to dump 256 bytes to file test.bin. This simply repeats the current mode r read and puts the contents in a file.

SPI> ]

CS Disabled

Finally, manually deselect the chip to end the transaction.

image452×273 1.87 KB

Here is a dump of the chip contents in the terminal.

image620×319 4.51 KB

Here are the contents of the dump file.

This is a little akward, and eventually a pipe to file will probably make its way into the syntax compiler. It works though, and should make dumping almost any I2C/SPI storage device pretty easy.

Confirmed working “dump” command. I have eeprom.bin now on my lap-desk and looking at it in GHex. I wonder if it even has checksums. Seems like not. But editing it is not the goal. I just wanted to check if there is some data not 0xFFFFFFFFFFFFFFFF in the middle til the end.

Are there any ASCII strings? What hex editor do you use?

Or better would you zip and upload the dump? Not if it has personal info obviously.

There is name of ups /model /manufacture date and serial number in strings and baterry/acu model and some gibberish. I use GHex gui hex editor on Linux.

I could send it to you no problem. What would be funny to edit name so not Smart UPS 750i but something like “haxxed by BP5” just to check if there are checksums. Because name is what is displayed when it boots up. Changing model could be problematic if somethin relies on it. But S/N to some 1337LEETMODEL01 could be fun. Bexause its possible

Is there any point in having a repo of eeprom dumps? I assume it’s against github TOS. Is it even legal? Maybe hosted somewhere with the right to repair laws?

I use the bus pirate to learn about new chips when designing my own boards. Lots of people use it to repair stuff though.

Sometimes just knowing what a value should be at a location is enough. blinkenlabs repaired, I believe, a bench PSU by editing an incorrect calibration value the eeprom with the bus pirate. Programming a few bytes saved a machine, which is pretty cool. I only deal in open source though and don’t want to host a ROMs site or whatever.

Yeah, change a byte and see what happens now that you have a full dump.

Is it clear how writes work?

I think I will figure it out. I mean how to write. So WRITE OP code then data, address etc. But MCU is bricked so I cant verify if it actually did something after fiddling with bits. I have another working unit that I want to dump in second phase. And flash it to the brick. Should resurect it 80% chance.

Anyway this product is EOL so i guess APC company doesnt care anymore.

But still waiting fot SMPS plank because unfortunetely MCU talks 12V.

Great that you have two units. A diff of the hex would be very interesting. Extra awesome if you can unbrick it.

Yes, send a start bit like before, then the unlock writes command.

Next send the write command to change a byte (or a page? Did not get that far in data sheet).

There is also a possibility you need to erase a byte first, I do not have the data sheet in front of me.

I could do a bindiff tomorrow. I need to take apart a bit working unit. Also I believe you mentioned in DM that there are spaces instead of null bytes between strings. I think its because of how its shown on the display. Some marquee (I know only html4 word for that😅) effect with name and model on bootup.

And of course, don’t forget to send the write disable command, when done (or power cycle the chip). Else, the safety net of requiring an explicit write-enable command is lost.